diff options
author | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2001-09-11 22:20:49 +0000 |
---|---|---|
committer | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2001-09-11 22:20:49 +0000 |
commit | ee0d062579fd628e14a33de487f04db6c16f4273 (patch) | |
tree | eaaf75c2dbf99222bfce6f8a608943532bb3176b /sys/net/pf.c | |
parent | 9ebb0e3095bfc9a4093b4d29698a56e2a6b8cbeb (diff) |
Undo BINAT translation when blocking with return-rst/-icmp.
Translate at most once. From Ryan McBride.
Diffstat (limited to 'sys/net/pf.c')
-rw-r--r-- | sys/net/pf.c | 18 |
1 files changed, 11 insertions, 7 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index 284008a346c..7303d085e10 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.147 2001/09/06 18:05:46 jasoni Exp $ */ +/* $OpenBSD: pf.c,v 1.148 2001/09/11 22:20:48 dhartmei Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -2277,7 +2277,7 @@ pf_test_tcp(int direction, struct ifnet *ifp, struct mbuf *m, rewrite++; } /* check incoming packet for BINAT */ - if ((binat = pf_get_binat(PF_IN, ifp, IPPROTO_TCP, + else if ((binat = pf_get_binat(PF_IN, ifp, IPPROTO_TCP, h->ip_dst.s_addr, h->ip_dst.s_addr)) != NULL) { baddr = h->ip_dst.s_addr; bport = th->th_dport; @@ -2335,11 +2335,13 @@ pf_test_tcp(int direction, struct ifnet *ifp, struct mbuf *m, if ((rm->action == PF_DROP) && ((rm->rule_flag & PFRULE_RETURNRST) || rm->return_icmp)) { /* undo NAT/RST changes, if they have taken place */ - if (nat != NULL) { + if (nat != NULL || + (binat != NULL && direction == PF_OUT)) { pf_change_ap(&h->ip_src.s_addr, &th->th_sport, &h->ip_sum, &th->th_sum, baddr, bport, 0); rewrite++; - } else if (rdr != NULL) { + } else if (rdr != NULL || + (binat != NULL && direction == PF_IN)) { pf_change_ap(&h->ip_dst.s_addr, &th->th_dport, &h->ip_sum, &th->th_sum, baddr, bport, 0); rewrite++; @@ -2494,7 +2496,7 @@ pf_test_udp(int direction, struct ifnet *ifp, struct mbuf *m, rewrite++; } /* check incoming packet for BINAT */ - if ((binat = pf_get_binat(PF_IN, ifp, IPPROTO_UDP, + else if ((binat = pf_get_binat(PF_IN, ifp, IPPROTO_UDP, h->ip_dst.s_addr, h->ip_dst.s_addr)) != NULL) { baddr = h->ip_dst.s_addr; bport = uh->uh_dport; @@ -2549,11 +2551,13 @@ pf_test_udp(int direction, struct ifnet *ifp, struct mbuf *m, if ((rm->action == PF_DROP) && rm->return_icmp) { /* undo NAT/RST changes, if they have taken place */ - if (nat != NULL) { + if (nat != NULL || + (binat != NULL && direction == PF_OUT)) { pf_change_ap(&h->ip_src.s_addr, &uh->uh_sport, &h->ip_sum, &uh->uh_sum, baddr, bport, 1); rewrite++; - } else if (rdr != NULL) { + } else if (rdr != NULL || + (binat != NULL && direction == PF_IN)) { pf_change_ap(&h->ip_dst.s_addr, &uh->uh_dport, &h->ip_sum, &uh->uh_sum, baddr, bport, 1); rewrite++; |